---------------------------- = ----------------------------
2006/10/27 1
CELF Japan Technical Jamboree #11


Introducing Secure OS into Embedded System


Keijiro Yano
TOSHIBA Corp.

2006/10/27 TOSHIBA
[translated by ikoma]
---------------------------- = ----------------------------
2006/10/27 2
CELF Japan Technical Jamboree #11

Contents

* What is Secure OS?
* What Secure OSes available on Linux?
* Which are handy to evaluate?
* SE Linux vs. LIDS
  - Installation Requirement
  - Security Features
  - Memory Footprint
  - Bootup Time
* Issues?
* To Do

---------------------------- = ----------------------------
2006/10/27 3
CELF Japan Technical Jamboree #11

What is Secure OS?

* OS with stronger access control functions to enhance resistance
  against intrusion attack. To avoid root compromise:
  - Introduces MAC (mandatory access control) to control access
    of all users
  - Introduces access control per process to control access of
    all processes with any authority
  - Controls privilege escalation not to give unnecessary privilege

Even if exploited, tries to minimize the damage

---------------------------- = ----------------------------
2006/10/27 4
CELF Japan Technical Jamboree #11

Secure OSes for Linux

* SE Linux
  - Primarily developed by the US NSA (National Security Agency)
  - Linux kernel security extension module using LSM (Linux
    Security Module)
  - Integrated into Linux 2.6 series as default

* LIDS (Linux Intrusion Detection System)
  - First verion released by XieHuagang and Philippe Biondi
    on October 15, 1999
  - Linux kernel security extension module using LSM (Linux
    Security Module)
  - Released as patches for Linux Kernel 2.4 series and 2.6
    series respectively

---------------------------- = ----------------------------
2006/10/27 5
CELF Japan Technical Jamboree #11

Secure OSes for Linux

* AppArmorAppArmor
  - Primarily developed by Novell. First released January 2006
    under GPL.
  - Linux Kernel security extension module using LSM (Linux
    Security Module)
  - Currently released in the form of patches

* TOMOYO LinuxTOMOYO Linux
  - Primarily developed by NTT Data. First released on November
    2005 under GPL.
  - Releases as patches to each version of Linux kernel, not
    using LSM

* UmbrellaUmbrella
  - Security module designed for CE devices such as PDA.
    GPL licensed.
  - Linux Kernel security extension module using LSM (Linux
    Security Module)

* LOMACLOMAC

---------------------------- = ----------------------------
2006/10/27 6
CELF Japan Technical Jamboree #11

SE Linux vs. LIDS

* Criteria to select evaluation targets
  - Should work with Linux kernel 2.6.10
  - If patches are necessary, they should be easily applied
  - Document describing usage etc. should be widely available.

=>SE Linux vs. LIDS
  -> Used SE Linux included in kernel 2.6.10
  -> Used LIDS 2.2.1 (release on 8/30/2005); latest release is
     LIDS 2.2.2

---------------------------- = ----------------------------
2006/10/27 7
CELF Japan Technical Jamboree #11

References

* Results of Linux Consortium Security WG
  "Evaluation Items of Secure OSes (Ver.1.0)
http://www.linuxcons.gr.jp/pdf/sec04_output.pdf [in Japanese]

---------------------------- = ----------------------------
2006/10/27 8
CELF Japan Technical Jamboree #11

Functional Comparison for Embedded Usage(SE Linux vs. LIDS)

* Installation Requirement
* Security Features
* Memory Footprint
* Bootup Time

---------------------------- = ----------------------------
2006/10/27 9
CELF Japan Technical Jamboree #11

Functional Comparison for Embedded Usage(SE Linux vs. LIDS)
- Installation Requirement - 

+----------------------+-----------------------+---------------+
|                      | SE Linux              | LIDS          |
+----------------------+-----------------------+---------------+
|Kernel Version        | 2.6                   | 2.4 / 2.6     |
+----------------------+-----------------------+---------------+
|CPU Architecture      | independent           | independent   |
+----------------------+-----------------------+---------------+
|Filesystem Dependency | must support xattr *1 | not dependent |
+----------------------+-----------------------+---------------+
|BusyBox extension     | required *2           | not required  |
+----------------------+-----------------------+---------------+
|special library       | required *3           | not required  |
+----------------------+-----------------------+---------------+

*1: To save security setting information, we have added the area
    to save extended attributes to filesystem. Cramfs we use as
    a root file system for embedded usages does not support this.

*2: BusyBox is a single program providing functions of basic
    commands of Linux, widely used on embedded systems. SE Linux
    obtains security information even for a basic command, so the
    extensin to support this is required.

*3: To control extended attributes, special library is required.
    Usually it is not necessary to link this library to your program.

---------------------------- = ----------------------------
2006/10/27 10
CELF Japan Technical Jamboree #11

Issues on Filesystems

<<Our evaluation system requires cramfs!>>

* To use SE Linux, cramfs must be extended.
  > On cramfs, no area allocated to save xattr information.
    -> Implemented the extension to save xattr information.
    Note that indication of xattr information to cramfs is necessary
    after boot up.

* On LIDS, care must be taken to treat inode numbers.
  > LIDS maintains security informatin per inode number.
     As cramfs gives inode numbers based on the file size, once
     security setting file is modified, the inode number may change.

      *** There is a danger that reassigning of inode nubers is
          desirable, but that it causes to change size of security
          setting file, and ... Our evaluation system requires cramfs! ***

---------------------------- = ----------------------------
2006/10/27 11
CELF Japan Technical Jamboree #11

Functional Comparison for Embedded Usage(SE Linux vs. LIDS)
- Security Features - 


+--------------------+--------------------+--------------------+
|                    |   SE Linux         |     LIDS           |
+--------------------+--------------------+--------------------+
| granularity of     | can set total 210  | can set 4 types of |
|  access control    | access vectors for | access control for |
|                    | 52 object classes  | files/directories; |
|                    |                    | 31 for processes   |
+--------------------+--------------------+--------------------+
| access control for | yes                | yes                |
| files/directories  |                    |                    |
+--------------------+--------------------+--------------------+
| access control for | yes                | no                 |
| links              |                    |                    |
+--------------------+--------------------+--------------------+
| access control for | yes                | partially          |
| special files      |                    |                    |
+--------------------+--------------------+--------------------+
| access control for | yes                | partially          |
| pipes              |                    |                    |
+--------------------+--------------------+--------------------+
| access control for | yes                | partially          |
| interprocess       |                    |                    |
| communications     |                    |                    |
+--------------------+--------------------+--------------------+
| access control for | yes                | partially          |
| kernel log         |                    |                    |
+--------------------+--------------------+--------------------+
| load/unload control| yes                | yes                |
| for kernel modules |                    |                    |
+--------------------+--------------------+--------------------+
| access control     | yes                | partially          |
| per process        |                    |                    |
+--------------------+--------------------+--------------------+
| access control     | yes                | no                 |
| per user           |                    |                    |
+--------------------+--------------------+--------------------+


---------------------------- = ----------------------------
2006/10/27 12
CELF Japan Technical Jamboree #11

Issues of LIDS for Embedded Systems
- Security Features - 

* Access control for links is not supported
    This is because LIDS obtains an inode number by normalized
    file name and saves security setting per inode number.
    Each command supported by BusyBox is provided as symbolik link.
      -> Unable to set security for individual commands

* Access control for special files are partially impossible
    cramfs assigns a same inode nuber for special files
      -> Unable to set security individually for special files

* Insufficient support of access control for interprocess communications
    Only levels configurable with capability used in Linux standard
    and protection from signals are supported.

---------------------------- = ----------------------------
2006/10/27 13
CELF Japan Technical Jamboree #11

Functional Comparison for Embedded Usage(SE Linux vs. LIDS)
- Bootup Time Inclrese - 

+------------+---------------+---------------+
|            | Boot Time 1   | Boot Time 2   |
+------------+---------------+---------------+
|SE Linux    |    6.153 msec |  914.642 msec |
|LIDS        |   29.555 msec |  129.261 msec |
+------------+---------------+---------------+


* Boot Time 1
Difference between time for Linux kernel without secure OS to
boot up and time for Linux kernel with secure OS to boot up

* Boot Time 2
Time necessary to read in security setting information and to set them

*** For these mesurement, we built almost equivalent security
    setting files for two secure OSes, and measured.

---------------------------- = ----------------------------
2006/10/27 14
CELF Japan Technical Jamboree #11

Issues on Bootup Time

* On Boot Time 1 (Kernel Bootup Time)
  - Measured time for LIDS includes time to read security setting
    file (BOOT state).To read the security setting file, it reads
    the file in fixed length, repeating to "extend buffer and reread,
    if buffer size is insufficient", which is inefficient.

  - SE Linux just initializes (registers to LSM) here; later in
    the duration of Boot Time 2 (in /sbin/init) reads security
    setting and sets them.

---------------------------- = ----------------------------
2006/10/27 15
CELF Japan Technical Jamboree #11

Issues on Bootup Time

* On Boot Time 2 (Time to set security)
  - Heavily dependent on securty setting

 Security setting of LIDS :     Means accessible in principle,
                                unless stated otherwise
 Security setting of SE Linux : Means inaccessible in principle,
                                unless sated otherwise

 => In this measurement, we set security so that all of basic
    commands on shell are usable, so the policy setting of SE
    Linux becomes largher than LIDS.

---------------------------- = ----------------------------
2006/10/27 16
CELF Japan Technical Jamboree #11

Issues on Bootup Time

* On Boot Time 2 (Time to set security)
  - SE Linux
    > Time to write xattr onto cramfs included, which has large
      impact on boot time. In pratical use, this should be
      included in file system image.
      -> Imporovement would require heavy modification, including
         change of mkcramfs, inode extention, etc.
  - LIDS
    > Time to transit to POSTBOOT state included, reading security
      setting file again.

  On both of SE Linux and LIDS, security check starts for system
  calls executed in /sbin/init and this overhead affects bootup time.

---------------------------- = ----------------------------
2006/10/27 17
CELF Japan Technical Jamboree #11

Functional Comparison for Embedded Usage(SE Linux vs. LIDS)
- Memory Footprint - 

* Increase of kernel size


+---------------+----------+----------+------------+------------+
|               |   text   |   data   |   bss      |   Total    |
+---------------+----------+----------+------------+------------+
| SE Linux      | +101,907 |   +8,212 |     +4,096 |   +114,215 |
| LIDS          |  +38,960 |  +12,312 | +1,785,856 | +1,837,128 |
+---------------+----------+----------+------------+------------+
                                                 unit$B!'(Bbytes

* Increase of memory usage just after bootup

+---------------+------------------+-------------+
|               | available memory | free memory |
+---------------+------------------+-------------+
| SE Linux      |       -264 KB    |   -1,576 KB |
| LIDS          |     -2,780 KB    |   -3,220 KB |
+---------------+------------------+-------------+


  Putting file system image on memory with security setting file
  on it, we built almost equivalnet security settnig and measured.

---------------------------- = ----------------------------
2006/10/27 18
CELF Japan Technical Jamboree #11

Issues of LIDS for Embedded Systems
- Memory Footprint - 

* Increase of bss in kernel size is very large.
  This is because LIDS holds security setting information on
  large array declared as global variable. This seems too large
  for embedded systems, so tried imporovement as follows:
  - Added size information when ACL file created
  - When kernel read ACL file, it refers size information,
    allocates memory as necssary, and saves ACL information there.

With above modification:
  bss increase becomes 0
  bootup time reduces in 20msec

---------------------------- = ----------------------------
2006/10/27 19
CELF Japan Technical Jamboree #11

Functional Comparison for Embedded Usage(SE Linux vs. LIDS)
- Bootup Time after LIDS modifed - 

+---------------+---------------+---------------+
|               | Boot Time 1   | Boot Time 2   |
+---------------+---------------+---------------+
| SE Linux      |    6.153 msec |  914.642 msec |
| LIDS          |   29.555 msec |  129.261 msec |
| LIDS modified |    5.983 msec |  131.292 msec |
+---------------+---------------+---------------+

* Boot Time 1
Difference between time for Linux kernel without secure OS to
boot up and time for Linux kernel with secure OS to boot up

* Boot Time 2
Time necessary to read in security setting information and
to set them


*** For these mesurement, we built almost equivalent security
    setting files for two secure OSes, and measured.

---------------------------- = ----------------------------
2006/10/27 20
CELF Japan Technical Jamboree #11

Functional Comparison for Embedded Usage(SE Linux vs. LIDS)
- Memory Footprint after LIDS modifed - 

* Increase of kernel size

+---------------+----------+----------+------------+------------+
|               |   text   |   data   |     bss    |    Total   |
+---------------+----------+----------+------------+------------+
| SE Linux      | +101,907 |   +8,212 |     +4,096 |   +114,215 |
| LIDS          |  +38,960 |  +12,312 | +1,785,856 | +1,837,128 |
| LIDS modified |  +42,620 |  +24,600 |          0 |    +67,220 |
+---------------+----------+----------+------------+------------+
                                                      unit$B!'(Bbytes


* Increase of memory usage just after bootup

+---------------+------------------+-------------+
|               | available memory | free memory |
+---------------+------------------+-------------+
| SE Linux      |       -264 KB    |   -1,576 KB |
| LIDS          |     -2,780 KB    |   -3,220 KB |
| LIDS modified |     -1,048 KB    |   -1,240 KB |
+---------------+------------------+-------------+

---------------------------- = ----------------------------
2006/10/27 21
CELF Japan Technical Jamboree #11

Summary

* For embedded systems, a lot of products with netowork
  connectivity are now being developed and interest in
  security is growing.
* We installed two famous secure operating systems for Linux,
  SE Linux and LIDS, on embedded evaluation system, and studied
  and compared their requirement, security setting features on
  a target machine.
* We also measured change of bootup time and memory usage on
  the evaluation system.

---------------------------- = ----------------------------
2006/10/27 22
CELF Japan Technical Jamboree #11

Summary

* Comparing SE Linux and LIDS:
  - For installation...
    > LIDS is superior. For SE Linux, modification to existing
      development environment is required.
  - For functions ...
    > SE Linux is superior. SE Linux has very rich features,
      sufficient in functions. On the other hand it is difficult
      to configure as intended.
    > Although LIDS is easy to configure, functions may be insufficient.
  - For memory usage ...
    > SE Linux is superior. LIDS uses 3MB just for installation.
  - For performance ...
    > LIDS is superior. In SE Linux, overhead of system calls
      tend to be large.

---------------------------- = ----------------------------
2006/10/27 23
CELF Japan Technical Jamboree #11

To Do

* Would like to evaluate AppArmor
  - Failed to patch onto kernel 2.6.10 and gave up this time
  - Unlike LIDS or SE Linux, it seems possible to specify to enable
    secure OS features, to enable learning features, to disable
    secure OS features,  per program.
  - It seems that you can write, per path name of program file,
    access control specifying
      Linux capabilities to hold, and
      path name list of files to which you want to set access control
  - Grammer of security setting file is rather simple
  - Some criticizes that it is undesirable to control per path name

---------------------------- = ----------------------------
2006/10/27 24
CELF Japan Technical Jamboree #11

To Do

* Need to work on together with system designers, application developers.
  OS-centric approach may cause to produce meaningless features.

* Wondering how to validate
  - Intrusion evaluation tools are insufficient to verify.
  - How can functional tests of security features be done?

---------------------------- = ----------------------------
2006/10/27 25
CELF Japan Technical Jamboree #11

END

---------------------------- = ----------------------------
---------------------------- = ----------------------------
